Regulators in the financial sector have been tackling the field of operational resilience head on for the last few years. Different regions are in different states of play, some with active legislation and oversight, and many with ongoing discussions about the future regulatory playing field.
Let’s explore what is happening in some key geographies, including current state and what might be coming, along with some common themes and directions we are seeing.
Global regulations and guidance
The Basel Committee on Banking Supervision released their Principles for Operational Resilience in March 2021, which introduced seven principles. They categorise these principles across seven categories:
- Governance
- Operational risk management
- Business continuity planning and testing
- Mapping of interdependencies of critical operations
- Third-party dependency
- Incident management
- Resilient ICT
These points have been used as guidance by financial services firms around the world and have helped shape the direction of other regulators.
Regulations and guidance in the UK
Current state
The Bank of England in the UK has paved the regulatory path with the introduction of its Operational Resilience rules. These rules set out the minimum expectations and core processes that regulated entities are required to have in place to manage the resilience of their operations. While the full extent of those rules will not be enforced until 31 March 2025, the first set of requirements came into effect 31 March 2022. The template set by the Bank of England are now being echoed and referenced in other geographies.
What’s next
The FCA in the UK released a discussion paper on Critical Third Parties in July 2022 outlining the need for additional measures to manage systemic risks posed by critical third parties (CTPs), with concentration risk of particular concern.
They note in a preceding policy statement that over 65% of UK firms use the same four cloud providers. The discussion paper notes the imagined but plausible scenario of firms using different software providers to support similar important business services, where each of those software providers use the same cloud provider – with no awareness by the software providers or the firms that such concentration exists. In extreme cases this type of disruption could impact the financial stability of the UK.
While firms would remain accountable for meeting their own operational resilience obligations, those designated as critical third parties would also be subject to regulation. The designation of CTPs would be based on high level criteria of materiality and concentration.
The suggested minimum resilience standards for CTPs could cover identification, mapping, risk management, testing, information sharing with supervisor authorities, developing a continuity playbook, incident response communication, plans, and continuous improvement. Noteworthy is that that the resilience testing may include participation in sector-wide exercises, not just ‘play at home’ assurance testing.
Supervisory oversight would be limited to the material services these organisations provide to regulated firms, not their overall operations. Distinct from DORA in the EU, the FCA discussion paper notes that this is not limited to ICT, citing examples of cash distribution or claims management services as outsourced functions. Another difference is that they are not proposing the third-party entities must operate in the regulated region.
Perhaps notable for the rest of the world is the FCA’s suggestion that while challenging, a global methodology for identifying potential CTPs may be desirable, with respondents invited to answer questions on such an approach.
Regulations and guidance in Australia
Current state
The Australian Prudential Regulation Authority (APRA) has just released its Draft Prudential Standard CPS 230 Operational Risk Management. In the prior few years, APRA had released statements that operational resilience has been a focus over the past two decades, and considered operational resilience to be an umbrella term that includes operational risk, outsourcing, and business continuity management.
The proposed standard consolidates several other standards, where the key focus of the standard is to:
- Strengthen operational risk management with a big focus on controls management and testing
- Improve business continuity planning so that entities are prepared and ready to ensure continued delivery of critical operations during periods of disruption
- Enhance third-party risk management by effectively managing the risks associated with the use of service providers
What’s next?
With the draft CPS 230 CPS 230 Operational Risk Management just released, it is currently open for feedback, with submissions due by 21 October 2022. We will watch with interest to see how the industry responds, and how that response shapes the final standard and the guidance that is due to follow early 2023.
We won’t only be watching. Read our dedicated article to find out more about the draft standard, and you can expect to hear more from us in future about the direction that APRA are taking.
Regulations and guidance in the US
In October 2020 the Federal Reserve released a joint regulatory paper on Sound Practices to Strengthen Operational Resilience.
Its seven main sections bring together existing guidance and are similar, although not identical, to those issued by the Basel Committee:
- Governance
- Operational risk management
- Business continuity management
- Third-party risk management
- Scenario analysis
- Secure and resilient information system management
- Surveillance & reporting
The paper does not introduce any specific new requirements on US firms, but highlights the regulator’s change in focus.
Regulations and guidance in Singapore
The Monetary Authority of Singapore has adopted many of the processes used in the UK approach, but has opted to update and integrate the processes into its business continuity management guidelines. While the phrase ‘operational resilience’ takes a backseat and is referenced only once in the document, the focus on external stakeholders, dependency mapping and audit aligns this closely to the UK process.
Regulations and guidance in Hong Kong
In May 2022, the Hong Kong Monetary Authority released its Supervisory Policy Manual on Operational Resilience. It aligns very closely with the requirements in the UK, including an expectation that all Authorized Institutions will have completed initial mapping of their framework in the first year, and be fully implemented within three years.
Regulations and guidance in the European Union
In the EU, the proposed Digital Operational Resilience Act (DORA) has a planned sitting date in the European parliament November 2022. This legislation seeks to align the approach to managing ICT and cyber risk in the financial sector across the European Union member states.
Key sections covered by the proposed legislation include:
- ICT Risk Management: Identifying, classifying and documenting IT business functions, including interconnections with internal and external ICT systems.
- ICT-Related Incidents: How incidents must be managed, how they are classified, and mandatory reporting to authorities
- Digital Operational Resilience Testing: Independent testing, reporting on testing to relevant authorities, and minimum requirements for testers
- ICT Third-Party Risk: Maintaining an ICT third-party strategy, maintaining a Register of Information for contracted ICT services (including distinguishing between those that cover critical functions and those that don’t), due diligence requirements, and minimum expectations in contractual clauses
- An oversight framework of critical third-party service providers
- Financial entities must only engage with critical ICT providers if they operate in the European Union, in order to enable harmonised regulation
The last two point is perhaps the most important, where critical third-party providers, not just the regulated entities themselves, will become subject to oversight.
Common themes across regions
Often what is discussed in one part of the globe in the financial sector has echoes in others, and that has certainly been the case for operational resilience. Below are the common themes we are seeing that you may want to consider when developing your future roadmap:
- Continued focus on mapping of interdependencies between resources and third parties
- Critical third parties may find themselves subject to assurance not just from regulated entities, but from regulators directly
- When third parties aren’t directly regulated, regulated entities may pressure their third parties to adopt or align with their operational resilience processes as those processes mature to improve integration and monitoring
- Understanding and addressing concentration risks in financial sector supply chains is coming into sharper focus for regulators
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which helps you identify and manage potential disruption so you can provide the critical services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help: